jwilder/nginx-proxy で Qualys SSL Labs テストを 400 点満点にする ref: https://qiita.com/danmaq/items/bc70f609eb3177e40979

file0.txt

$ openssl dhparam -out dhparam.pem 4096

file1.txt

$ openssl genrsa -aes256 -out example.com.p.key 4096

Enter pass phrase for example.com.p.key: パスワードを作る
Verifying - Enter pass phrase for example.com.p.key: パスワードを再入力

$ openssl rsa -in example.com.p.key -out example.com.key

Enter pass phrase for example.com.p.key: パスワードを再入力

ここまででパスワードは忘れてよい
$ rm example.com.p.key

file10.txt

$ sudo docker-compose build
$ sudo docker-compose up

file2.txt

$ openssl req -new -key example.com.key -out example.com.csr

Country Name (2 letter code) []:JP <- 国記号
State or Province Name (full name) []:Tokyo <- 都道府県名
Locality Name (eg, city) []:Chiyoda-ku <- 市区郡名
Organization Name (eg, company) []:Personal <- 法人名、個人なら Personal とか
Organizational Unit Name (eg, section) []:SSL <- 部署名、なければ適当に入れる
Common Name (eg, fully qualified host name) []:*.example.com <- 取りたい証明書のドメイン
Email Address []:[email protected] <- メールアドレス
A challenge password []: <- 何も入れずに Enter

file3.txt

-----BEGIN CERTIFICATE-----
MII...(SSLサーバ証明書 X.509)...=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...(中間証明書 X.509)...=
-----END CERTIFICATE-----

file4.txt

version: '2'
services:

  proxy:
    image: jwilder/nginx-proxy:alpine
    container_name: example-proxy
    restart: always
    ports:
    - '80:80'
    - '443:443'
    volumes:
    - '/opt/example.com/certs:/etc/nginx/certs'
    - '/opt/example.com/dhparam:/etc/nginx/dhparam'
    - '/var/run/docker.sock:/tmp/docker.sock:ro'

  root:
    image: 'nginx:alpine'
    container_name: example-root
    restart: always
    environment:
      VIRTUAL_HOST: example.com

  foo:
    image: 'httpd:alpine'
    container_name: example-foo
    restart: always
    environment:
      VIRTUAL_HOST: foo.example.com

file5.txt

$ sudo docker-compose up

file6.txt

$ sudo docker-compose down

file7.txt

FROM jwilder/nginx-proxy:alpine
RUN \
    sed -i -e 's/max-age=31536000/max-age=31536000; includeSubDomains; preload/g' /app/nginx.tmpl && \
    sed -i -e 's/ssl_session_tickets off/ssl_session_tickets on/g' /app/nginx.tmpl && \
    sed -i -e "s/ssl_ciphers '\(.\+\)';/ssl_ciphers '\1:!aNULL!eNull:!EXPORT:!DES:!3DES:!MD5:!DSS:!AES128';/g" /app/nginx.tmpl && \
    sed -i '/ssl_dhparam/a\\ssl_ecdh_curve secp384r1;' nginx.tmpl && \
    sed -i '/add_header/a\        add_header Public-Key-Pins "pin-sha256=\\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\\"; pin-sha256=\\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\\"; max-age=5184000; includeSubDomains\\"";' nginx.tmpl

file8.txt

$ openssl rsa -in example.com.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

file9.yml

version: '2'
services:

  proxy:
    build: .
    # ↑ 差し替え (*1)
    container_name: example-proxy
    restart: always
    ports:
    - '80:80'
    - '443:443'
    volumes:
    - '/opt/example.com/certs:/etc/nginx/certs'
    - '/opt/example.com/dhparam:/etc/nginx/dhparam'
    - '/var/run/docker.sock:/tmp/docker.sock:ro'

  root:
    image: 'nginx:alpine'
    container_name: example-root
    restart: always
    environment:
      VIRTUAL_HOST: example.com
      SSL_POLICY: 'Mozilla-Modern'
      # ↑ 追加 (*2)

  foo:
    image: 'httpd:alpine'
    container_name: example-foo
    restart: always
    environment:
      VIRTUAL_HOST: foo.example.com
      SSL_POLICY: 'Mozilla-Modern'
      # ↑ 追加 (*2)